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Department of Defense 


The Department of Defense (DoD) Business Mission Area (BMA) accounts for roughly half of the DoD 
Information Technology (IT) budget. Many of the DoD’s business systems have been in use for years and are straining 
to support the agility of business operations necessary today. As well, many new systems are being developed on such a 
scale that it takes nearly a decade to produce the first results. .A potential answer to this situation is delivering business 
capabilities through a service-oriented architecture (SOA)'. Much of the private sector is rapidly moving in this direc- 
tion. The question is, will it work for the DoD? This article is about the results of market research conducted by the 
BMA Chief Technical Officer (CTO) and Chief Architect (CA) over a period of about six months to learn about 
state-of-the-art SOA and what the DoD can count on from SOA vendors to deliver both business services and SOA 
infrastructure in the near- to mid-term. 7 


he DoD is perhaps the largest and 

most complex organization in the 
world, employing nearly 1.4 million people 
and holding approximately $1.4 trillion in 
assets. IT spending for business support 
activities in the DoD BMA—funds to 
operate, maintain, and modernize business 
systems—comprise $15.7 billion of annu- 
al DoD IT spending, roughly equal to the 
rest of the federal government. 

While the DoD has long been 
acknowledged for its premier warfighting 
capabilities, fragmentation of financial 
and business management practices leaves 
the DoD vulnerable to waste, fraud, and 
abuse, as well as risk of failure on 
attempts to build larger, more complex 
systems. To support the DoD mission 
and the changing nature of the threats to 


which the federal government must 
respond, the DoD BMA is engaged in a 
massive business transformation. It must 
modernize and become agile in order to 
support 21st century national security 
requirements. The BMA CTO evaluated 
DoD BMA enterprise processes and asso- 
ciated systems—including human re- 
source and personnel mafiagement, sup- 
ply chain, and logistics, as well as financial 
and accounting management functions— 
to determine the best strategy for achiev- 
ing agility. After analysis and assessment 
of BMA objectives and study of the over- 
all direction for IT within the DoD, the 
strategy selected to move the BMA for- 
ward is the adoption of an SOA. 

The US. Government Accountability 
Office describes an SOA as an “approach 


Figure 1: The Business Transformation Infrastructure 
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for sharing functions and applications 
across an organization by designing them 
as discrete, reusable, business-oriented ser- 
vices” [1]. Most importantly, an SOA. is a 
mechanism by which business capabilities 
can be aligned with the technical infra- 
structure in support of an agile business 
strategy. The DoD’s SOA vision calls for 
such alignment through an architecture of 
discrete components called services deliver- 
ing business capabilities deployed in a sup- 
portive infrastructure designed for this pur- 
pose. The Office of the BMA CTO and 
CA collaborated with the chief informa- 
tion officers (CIOs) representing the mili- 
tary services, defense agencies, combatant 
commands, mission areas, and DoD 
Enterprise Services to develop an SOA 
strategy, including a supporting environ- 
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ment termed the Business Operating 
Environment (BOE). The BOE leverages 
industry best practices to federate techni- 
cal architectures, develop capability 
requirements, and support the delivery of 
portfolios of business capabilities based 
on collections of atomic and/or compos- 
ite service orchestrations. The BOE is 
defined in [2], which details the infrastruc- 
ture component of the BOE and the busi- 
ness transformation infrastructure (BTT), 
shown in Figure 1 (on the previous page). 
Some functions of the BTI will be met 
through and built upon the DoD Global 
Information Grid Enterprise Services. 
The technical core of the BTI, designated 
the Business Transformation Engine 
(BTE), is to be built from commercially 
available products. 

To assess the feasibility of this strate- 
gy, the BMA CTO conducted market 
research into maturity and readiness to 
support this strategy in SOA technologies 
from more than 30 organizations. These 
had survived a preliminary screening to 
ensure that they were realistic and rele- 
vant. The technical research included all 
components of the BTE, and was con- 
ducted in accordance with departmental 
regulations guiding pre-acquisition market 
research. The organizations provided live 
demonstrations of their development, 
test, operational, and production environ- 
ments. CIO offices from each military ser- 
vice and many defense agencies were 
invited to attend and participate in the 
presentations. This article provides 
research conclusions across the BTE com- 
ponents (numbered in Figure 1), as well as 
SOA information assurance and gover- 
nance. 


Industry Readiness to Support 
Key BTI Capabilities 


The research approach gathered data to 
correspond to key technical capabilities 
required to build the BTI and included an 
assessment of the industry’s maturity in 
providing tools to support these technical 
capabilities. The research did not consider 
SOA technologies not relevant to the BTT. 
In this section, we present the assessment. 


Interoperability Controller 

The interoperability controller component 
of the BTI is a pattern or foundation 
architecture for brokering, routing, and 
processing messages and service invoca- 
tions within an SOA. It consists of an 
extensible set of integration brokers inter- 
connected on the network by robust mes- 
saging middleware. The research looked at 
products supporting this pattern, examin- 


ing them for a number of characteristics, 
including support for indirection and 
interception, loose coupling, scalability, 
and robustness. In general, the products 
that most closely support this pattern are 
enterprise service bus (ESB) products, as 
well as enterprise application integration 
and message-oriented middleware through 
composition. 

The market research shows that the 
state of industry products as reasonably 
mature and can support the implementa- 
tion of the BMA vision for the BTT’s 
interoperability controller component. 
The message-oriented middleware and 
enterprise application integration product 
vendors have been working in this direc- 


tion through many generations of prod- 


“The challenge ... is to 
build a standards-based 
SOA that leverages the 
success of Web 
technologies rather than 
an ESB-based solution 
that provides some 
aspects of SOA but 
could lead to 
over-dependence on a 
particular vendor's 
technology.”’ 


ucts. The ESB vendors have built on this 
experience to provide an enterprise-wide 
solution, though often with proprietary 
features. The challenge with the latter is to 
build a standards-based SOA that lever- 
ages the success of Web technologies 
rather than an ESB-based solution that 
provides some aspects of SOA but could 
lead to over-dependence on a particular 
vendor’s technology. 


Mediation — Standard and High 
Volume 

While increasingly more BMA systems 
and data sources will communicate 
natively in terms of standard message 
sets and vocabularies, there is a short- 
term need for mediation of information 
exchanges, translating, and transforming 
messages between information providers 


and consumers. The research found good 
support of this pattern in both the stan- 
dard and high-volume variations. Many 
vendors, (such as Fiorano, BEA Systems, 
IBM, Iona, Tibco, and webMethods) are 
producing capable transformation 
engines, especially those focused on 
eXtensible Markup Language (XML) 
messaging and the use of Extensible 
Stylesheet Language Transformation 
engines. For high volume, Ab Initio, with 
its advanced parallel processing capabili- 
ties, allows for the development of high- 
performance, straight-through mediation 
services. However, the vision for dynam- 
ic generation of transformations on a 
semantic mediation basis was found to 
still be a future capability. The semantic 
technology needed is immature, so 
semantic tools from companies like 
Revelytix and IBM are best suited for 
supporting development time activities, 
with semantics being early-bound into 
runtime environments. 


Service Discovery and Metadata 
Registries 

The BMA’s approach to SOA calls for 
metadata registries and repositories sup- 
porting the discovery of services and 
information assets. DoD registries are 
built around Organization for the 
Advancement of Structured Information 
standards, such as Universal Description 
and Discovery Interface (UDDI) and elec- 
tronic business XML (ebXML) Registry 
Information Model and Registry Services 
(including a UDDI service registry), a 
Metadata Registry that contains the DoD’s 
structural and semantic metadata, and an 
enterprise catalog containing DoD specifi- 
cation metadata to support discovery of 
information assets. Given the DoD’s size 
and the likely need to federate registries, 
the BMA included this category in the 
market research. 

Many of the vendors in the market 
research provide UDDI service registries, 
notably Systinet, now a part of HP. Many 
vendors include UDDI capability (e.g., 
IBM, BEA, Software AG), with a number 
of vendors using Systinet. Many vendors 
also include metadata management capa- 
bilities and repository components (e.g,, 
Fiorano, Lombardi), while others such as 
Revelytix specialize around semantic 
metadata. The DoD’s metadata discovery - 
specification is not directly supported by 
vendors, though those that support the 
ebXML architecture can act as enterprise 
catalog instances. 


Business Activity Monitoring 
Business activity monitoring (BAM) 


allows management of an SOA in busi- 
ness terms. Market research found that 
BAM is still in early development. There 
are many vendors providing BAM func- 
tionality coming from diverse industry 
segments. Application integration and 
enterprise software vendors (BEA, 
Fiorano, IBM, IONA Technologies, 
Microsoft, Oracle, SAP, TIBCO, web- 
Methods, etc.) are extending existing 
assets and acquiring additional capabili- 
ties in order to support BAM. Business 
intelligence vendors (Business Objects, 
Cognos, Software AG, etc.) are working 
to adapt technology and incorporate 
_ business rules engines into their solu- 
tions to support real-time BAM opera- 
tions. There is also a set of pure-play 
BAM providers who focus on complete 
BAM solutions. Overall, the research 
found little standardization across ven- 
dor implementations, making true inter- 
operability difficult to achieve on an 
enterprise level. The most common uses 
found in the research revolve more 
around project-based, application-spe- 
cific uses rather than as general enter- 
prise infrastructure. 


Enterprise Services Management 
Enterprise services management (ESM) 
provides for managing the service life 
cycle and is the foundation for SOA run- 
time governance. Market research found 
a limited number of SOA ESM vendors. 
The main vendors (e.g., IBM, Hewlett- 
Packard) possess strong portfolios in 
traditional network management and 
integrated service management markets 
that they have extended to ESM. Most 
of the tools researched include feature 
sets spanning the range from low-level 
IT service management to the higher- 
level business management needs, and 
the differences are more in terms of 
focus. Often, a more comprehensive 
solution can be composed by combining 
products (e.g, AmberPoint and HP 
OpenView SOA Manager). 


Business Process and Workflow 
Automation (Business Process 
Modeling, Execution, and Monitoring) 
The BTI must provide for the modeling 
and execution of business processes 
through the orchestration of services, 
and the monitoring of those business 
processes. While the research found that 
there are still many proprietary modeling 
offerings, there is considerable conver- 
gence around Business Process 
Modeling Notation (BPMN). The 
research also found strong support 
across vendors for the Business Process 
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Execution Language standard, though 
there is also emerging support for direct 
execution of BPMN through the use of 
the XML Process Definition Language, 
an XML serialization of BPMN. Many 
vendors also provide the needed moni- 
toring of those processes at runtime, 
often building on extensive experience 
with network and application monitor- 
ing capabilities. Still further in the future 
are tools with semantic continuity from 
modeling to execution in the business 
process arena; however, the research did 
find that what already exists is maturing 
rapidly, and can provide a base for 
implementing the BTI. Perhaps surpris- 
ingly, not a single vendor included the 
Unified Modeling Language in either its 
list of product offerings relative to an 
SOA, or as a tool that it uses in its SOA 
engagements. 


*¢.. the DoD is 
making IA services 
a part of the 
Net-Centric Core 
Enterprise Services so 
that security is 
ubiquitous, well-tested, 
and a part of 
the infrastructure.”’ 


Data Virtualization and Data 
Services 

Among virtualization trends, virtualizing 
data sources has emerged as a real-world 
capability, and is a key component of the 
BMA SOA vision in which a virtual data 
store makes information from many 
sources available in real time without a 
physical store. The vendors include 
Composite Software, Red Hat Meta- 
matrix, IBM, and Streambase. 

The BMA research found that over- 
ali data virtualization and associated data 
services have matured to the point that 
there are many cases where they can 
produce high-performance and robust 
data sources and services to be used ina 
net-centric environment, significantly 
reducing the latency in data availability 
to business analysts and decision makers 
who do not need to wait for the period- 
ic load of a data warehouse or data mart. 


Information Assurance for 
SOA 
An SOA introduces new information 
assurance (IA) challenges. The interop- 
erability and extended, net-centric data 
sharing capabilities enabled by SOAs are 
themselves potential points of vulnera- 
bility. A compromised service registry 
provides an attacker with a detailed map 
of the operations and capabilities of an 
organization. Standards and standard 
protocols narrow the range of network 
capabilities that an attacker must sub- 
vert, and success wins wide access. 
Deploying an SOA in a responsible fash- 
ion must consider the effects of infor- 
mation warfare in addition to other plan- 
ning, Only through such IA diligence 
will the DoD be able to truly realize the 
savings and benefits that an SOA 
promises for a large, geographically dis- 
persed organization that must operate in 
the face of the exigencies of war. 
Additionally, SOAs must also meet old 
IA challenges including reliability, avail- 
ability, and non-repudiation. An SOA 
does not relieve implementers of the 
responsibility for solid engineering in 
areas of platforms, networking, back- 
ups, and auditing, Past best practices and 
standards must be brought to bear on 
SOA implementations as well as tradi- 
tional ones. 

As would be expected, the DoD is 


_ making IA services a part of the Net- 


Centric Core Enterprise Services so that 
security is ubiquitous, well-tested, and a 
part of the infrastructure. An SOA pro- 
vides the possibility to externalize secu- 
tity as a common, cross-cutting set of 
capabilities, themselves presented as ser- 
vices. In this way, each application or 
program does not have to master the 
complex technical capabilities required, 
but can declaratively define IA require- 
ments and expect them to be honored 
and enforced by the infrastructure. At 
the same time, DoD-level IA policy can 
be enforced on SOA operations, includ- 
ing authorization control, redaction, and 
auditing. An SOA must also work with 
the DoD’s Public Key Infrastructure to 
enable secure single sign-on, and to 
ensure preservation of appropriate non- 
repudiation characteristics as people and 
systems take action against DoD and 
BMA data assets. 

The BTI is intended to embrace and 
extend the DoD SOA and IA foundations. 
During the research, the BMA team stud- 
ied vendor capabilities with regard to IA 
and security in a number of areas. In par- 
ticular, there was support for emerging 


Software Engineering Technology 


Web Services security standards and the 

inclusion of IA capabilities, both for 

enabling IA and for working with an 

enterprise’s existing IA infrastructure. 

¢ Support for Web Services [A 
Standards. Vendor support for the 
Web Services standards stack (WS-*) 
and related sets of XML and network 
IA standards—such as the WS- 
Security Assertion Markup Language, 
and the eXtensible Access Control 
Markup Language—is maturing rapid- 
ly along with the standards them- 
selves. These standards are key to 
moving IA into the infrastructure, the 
SOA foundation, and enabling a 
declarative IA. Most of the deep 
stacks of SOA capability, such as 
those from IBM, BEA, Oracle, and 
Microsoft, have incorporated these 
standards throughout. 

¢ Enabling IA Infrastructure Capa- 
bilities. Some organizations includ- 
ed in the research (such as 
AmberPoint) focus explicitly on pro- 
viding SOA security capabilities. The 
market research found that there is a 
trend to make IA an integral part of 
SOA through provisioning, gover- 
nance, and key infrastructure, such as 
with the BTT’s interoperability con- 
troller. This holds out the promise 
that as an SOA is implemented in the 
BMA, it will not prove to be the soft 
and chewy inside of a hard and crunchy 
perimeter defense. | 

¢ Integration With Existing IA 

_ Infrastructure. DoD IA must be a 
consideration from the beginning of 
the life cycle. An SOA must be able 
to work and interoperate with IA 
standards, practices, and approaches 
developed during the DoD and US. 
intelligence community’s long experi- 
ence in producing networked IT sys- 
tems to provide defense in depth. 
The market research found that there 
is a convergence in this arena, with 
the DoD looking to adopt industry 
and commercial best practices in IA 
for its solutions, and SOA vendors 
(included in the research) willing to 
meet and accommodate the stringent 
IA requirements of the DoD. 


Governance 

Governance—the means to assure that 
laws, regulations, and policies are met in 
IT operations and investments—is of 
key importance for the move to an SOA. 
An SOA introduces new challenges for 
IT and business governance due to solu- 
tions composed from numerous distrib- 
uted services in an environment of het- 


erogeneous ownership and control, and 
by enabling widespread sharing of infor- 
mation and capabilities. The BMA strat- 
egy for SOA governance addresses both 
buildtime and runtime needs. 


Buildtime (Investment) Governance 

The research assessed buildtime gover- 

nance in the following areas: 

¢ Enterprise Architecture Satisfac- 
tion. The research found that enter- 
prise architecture tools are moving to 
explicitly model services, such as 
those from Mega Software or IBM 
(Telelogic). However, these tools 
have (at most) limited: interoperabili- 
ty with tools used to design and 
develop services. These tools also 


‘While serious caution 
remains in the areas of 
IA and security ... the 
need for significant 
cultural change for 
successful SOA 
implementation cannot 
be overemphasized ...”’ 


provide little in the way of automat- 
ed compliance checking or manage- 
ment of the transition between 
enterprise architecture models and 


service designs and implementations. 


¢ Duplication Avoidance. The re- 
search found that this aspect of gover- 
nance is provided largely by the ability 
of SOA development tools and envi- 
ronments to access service registries 
and repositories. This allows develop- 
ers to determine whether an imple- 
mentation for their service already 
exists. Additional metadata repository 
capabilities (providing further infor- 
mation) support this process. 

¢ Service Usage. The market research 
found that the main mechanisms for 
assuring that existing services are 
used as appropriate are through 
development tools that integrate 
with an enterprise’s service registries 
and repositories. These tools provide 
developers with service descriptions 
and specifications at design and build 
time. Many tool vendors, such as 
Lombardi and IBM, provide this 
capability. 


¢ Service Verification. The market 
research found that there is good 
support for test and verify SOA ser- 
vices—against functional require- 
ments and service level agreements 
(SLAs)—when combined with more 
traditional automated testing tools. 

¢ SLA Development. The market 
reseatch found support for capturing 
SLAs, but support for the actual ini- 
tial development of the SLAs is 
more limited. System architects and 
designers need to pay close attention 
to how they develop SLAs and trans- 
late them into digital form for use by 
automated SLA management capa- 
bilities. 


Runtime (Operations) Governance 
Runtime governance should provide vis- 
ibility into service operation allowing 
management of services, the ability to 
take corrective action (as needed) to 
ensure effectively uninterrupted business 
operations, and the capture of operation 
audit information. Provisioning, deploy- 
ing new services, and taking old services 
out of operation without significant 
impact on business activities or overall 
operations, are key parts of overall run- 
time governance. Characteristics looked 
for in runtime governance include the 
following: 
¢ Operational Visibility. Make the 
runtime state visible in both techni- 
cal (network and machine usage) and 
business terms. 
¢ Service Management. Monitor 
and manage the execution and oper- 
ation of services in an SOA. 
¢ Policy Enforcement. Enforce secu- 
rity and other policy-based con- 
straints in a declarative fashion, 
external to SOA services, allowing 
systems to adapt quickly to changing 
policy circumstances without coding, 
¢ Auditing. Track and record key 
events and actions within the SOA 
environment for later analysis. 
¢ Provisioning and Configuration 
- Management. Provision services 
for deployment in the SOA and track 
its configuration across changes as 
they occur. 


Governance Conclusions 

The market research found no complete 
solution available as a single package, 
but there is considerable governance 
capability available in the marketplace. 
For example, in the area of provisioning 
and configuration management, the 
research found that SOA management 
tools provide some of this capability, 


but may need to be joined with more tra- 
ditional configuration management and 
deployment tools for reasonable capabil- 
ity. Governance capability (as required 
by the BMA strategy for SOA) can be 
provided through commercial tools, but 
designers must carefully assess and 
acquire the components from various 
vendors in accordance with a strong 
design and plan that they must create for 
themselves. 


Conclusion 

The DoD BMA has embarked on an SOA 
strategy. The “BMA Architecture Feder- 
ation Strategy and Roadmap” provides 
guidance for the DoD BMA to quickly 
gain business value by delivering capabili- 
ty to support the warfighter through an 
SOA, while using a phased approach for 
transforming legacy systems. The mar- 
ket research performed by the BMA 
Office of the CTO and CA has found 
that industry capabilities to implement 
or enable the components defined in the 
BMA Service-Oriented Infrastructure 
have matured in the marketplace. While 
serious caution remains in the areas of 
IA and security, and the need for signif- 
icant cultural change for successful SOA 
implementation cannot be overempha- 
sized, it is clear that it is feasible for an 
enterprise the size of the DoD to move 
forward on implementing an SOA and 
to realize the business benefits of agility, 
interoperability, and net-centric data 
sharing that an SOA provides. 

The opinions expressed in this article 
are those of the authors only and in no 
way constitutes the policy or express 
direction of the DoD. For additional 
information about the vendors, see the 
online version of this article.® 


Note 

1. According to the U.S. Government 
Accountability Office, “A service- 
oriented architecture is an approach 
for sharing functions and applica- 
tions across an organization by 
designing them as discrete, reusable, 
business-oriented services. These 
services need to be, among other 
things, (1) self-contained ...; (2) pub- 
lished and exposed as self-describing 
...; and (3) subscribed to via well- 
defined and standardized interfaces.” 
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